Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ITSI query to generate a list of Services with their associated entities and alerts

theprophet01
Explorer
‎04-15-2024 02:14 PM

Hello Fellow Splunkers,

I'm fairly new to ITSI and was wondering if this could be achieved. I 'm looking to create a report which would allow me to list all Services I have in ITSI along with their associated entities as well as list associated alerts or severity. Is there a query that could achieve this? any pointers are very much appreciated! Also any pointers where I could potentially find the data and bring it together in a search would be very helpful too.

Thanks!

Labels (2)
Labels
0 Karma
Reply

skramp
SplunkTrust
SplunkTrust
‎09-12-2024 12:24 AM

maybe |getservice can also help 😉

|getservice

  

0 Karma
Reply

proyleJDS
Path Finder
‎08-05-2024 04:06 PM

This search should give you a start on what you need

| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/service report_as=text filter="{\"enabled\":1}" 
| eval services_as_json=spath(value,"{}") 
| fields services_as_json 
| mvexpand services_as_json
| eval kpis_as_json=spath(services_as_json, "kpis{}") 
| fields - services_as_json 
| mvexpand kpis_as_json 
| spath input=kpis_as_json 
| fields - kpis_as_json 
| rename key as kpiid
| search service_title!="ServiceHealthScore"
| eval search = if(isnotnull(base_search_id),"",base_search) 
| search "aggregate_thresholds.thresholdLevels{}.severityLabel"!="" "aggregate_thresholds.thresholdLevels{}.thresholdValue"!=""
| rename service_title as Service "aggregate_thresholds.baseSeverityLabel" as "Base Threshold" "aggregate_thresholds.thresholdLevels{}.severityLabel" as "Thresholds" "aggregate_thresholds.thresholdLevels{}.thresholdValue" as "Threshold Values" title as KPI description as Description unit as Unit urgency as "Importance Score"
| table Service KPI Description "Base Threshold" Thresholds "Threshold Values" "Importance Score"
| join type=outer Service
    [| inputlookup itsi_entities
| fields services._key title
| rename services._key as services title as host
| mvexpand services
| lookup service_kpi_lookup _key as services
| stats list(host) as host by title
    | eval host=mvjoin(host, ",")
| rename title as Service]
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...